IoT Certificate Revocation

CRL or OCSP to maintain IoT security

Certificate-based authentication checks the authenticity of a certificate – certificate identity, expiry, issuing certificate authority and revocation status – with a validation authority to be sure the certificate can be trusted. If the certificate can prove its identity, it is validated.

Revoke certificate validity to maintain IoT security

IoT certificates have validity periods or lifespans, that are expected to be in use for their full durations. Sometimes however, it’s necessary to revoke a certificate before its scheduled expiration date. That can happen for many reasons including:

  • a device being retired before the certificate expires
  • a change of company or product line name
  • a lost or stolen private key which compromises security

Employ CRL or OCSP authentication methods to ensure certificate validity

When a certificate revocation is necessary, GlobalSign’s IoT Validation Authority revokes the good standing of the certificate either through the use of a certificate revocation list (CRL) or the Online Certificate Status Protocol (OCSP).

A CRL is a registry of digital certificates, updated at regular intervals, that have been revoked by the issuing Certificate Authority (CA), and functions like a blacklist. GET requests are made to the GlobalSign list server, which returns the list of revoked certificates. If the certificate in question appears on the CRL, it cannot be authenticated and should not be trusted.

OCSP is a more dynamic method of certificate validation that determines the current status of a digital certificate without requiring CRL. Applications or OCSP clients put calls into our GlobalSign managed OCSP responder, which checks and confirms certificate data, and immediately replies with confirmation or negation of certificate authentication.